Something You Know, Something You Have: Better Security With Two Factor Authentication

Extra security with two factor authentication

Two factor authentication adds an extra step to the process of logging into your accounts.

It’s inconvenient.

It makes you safer.

Until recently two factor authentication was only used by techies and high value targets in government and enterprises. The world has gotten more dangerous and two factor authentication has become easier to use. Now many of us should think about doing more to protect our identity, our data, and our clients’ secrets.

Most descriptions of two factor authentication (AKA “two step verification”) make it sound complicated. Let’s see if we can de-mystify it.

 


What is two factor authentication (short version)?

When two factor authentication is turned on for one of your accounts – Google, LastPass, your bank – you have to enter your password, PLUS you have to supply one more thing. The extra thing might be a code that is sent as a text message to your phone, or a number generated by an app on your phone, or something else.

You’ll go to a website and put in your password like usual.

Google login - password prompt

When two factor authentication is enabled, you’ll then be prompted for a code. You can’t get into the account until you put in the code.

Google login - two factor authentication

 


Why should you use two factor authentication?

When you set up two factor authentication, your account is still secure even if the password is hacked.

Security starts with good password habits. Before you do anything else, you should start using LastPass and make sure your passwords are unique and complex. But after you do that, you are still at risk, because passwords are hacked all the time.

To say that your password is “hacked” just means that some bad guys have learned what it is. That generally happens in one of two ways:

•  You might give away your own password if you are fooled by a phishing message. More than 90% of successful cyberattacks start with phishing emails.

•  The bad guys might get your password when a big company gets hacked. There is nothing you can do to prevent that. It has happened many times in the last few years and it will happen many more times to come.

If an account is secured by two factor authentication, then the bad guys can’t get into the account even if they get the password. They’ll be asked for the other thing – the text message code or the number from the app on your phone – and they won’t have any way to supply it.

 


What is two factor authentication (long version)?

twofactorauthentication_somethingyouknow

Two factor authentication means your account can only be opened if you supply something you know with something you have or something you are.

You haven’t thought about it but your bank uses two factor authentication every time you walk up to an ATM. You insert something you have – your debit card – and you type in something you know – your PIN. That’s two factor authentication.

Online accounts almost always start with a password. Your password is something you know.

Your phone is something you have. Since everyone always has their phone, it’s become the most common way to add an additional step to authenticate you. There are three ways that you can use your phone for two factor authentication – SMS text message, an authenticator app, or biometrics.

•  Code sent by text message to your phone  This is the most common kind of two factor authentication. Your account is set up so it cannot be opened until a six or seven digit code is typed in. The code is sent by text message to the phone number that you have on file.

•  Code created by an authenticator app on your phone  You can install an app on your phone that generates codes every 30 seconds. The best known and most widely used is Google Authenticator. There are also apps from LastPass, Microsoft, and others.

Authenticator apps are considered to be more secure than SMS text messages. This should be your first choice, if it’s available.

After you install the authenticator app on your phone, setting it up for one of your accounts is usually easy. Log into your LastPass Vault, for example. In Settings / Account Settings / Multifactor Options, choose two factor authentication with Google Authenticator. In the next window, you’ll see a barcode. On your phone, you’ll open Google Authenticator and hold it up so the camera can see the barcode. That’s all there is to it. In a second or two, the Google Authenticator app will begin generating codes for LastPass.

•  Biometrics  The second factor doesn’t have to be a number. It’s also possible to set up two factor authentication with something you are – your fingerprint, or facial recognition, or even retinal or iris scans from a camera scanning your eye. Voice identification? Maybe, someday. Although these are rare today, lots of companies are working in this area right now, trying to improve your security and help us get out of our password hell.

 

Two factor authentication - YubiKey

There’s one more type of authentication – and this one is considered to be the most secure.

•  A hardware key  Services with the highest level of security (for example, LastPass and Google) let you set up two factor authentication with a hardware key that you carry with you on your keychain. The best known are made by YubiKey. They range from fingernail size to the size of a thin USB stick, and typically are inserted into a USB port when required as part of logging into a website or online service. You can get a YubiKey with NFC built-in that can be tapped on a phone.

Last month Google introduced its own hardware key, the Titan Security Key. In time, it will likely be accepted at as many places as YubiKey, but at the moment it’s not quite as widely supported.

Security keys provide the best defense against account breaches. A hacker on the other side of the world trying to break into your account needs not only your password but also your physical hardware key.

Hardware keys have long been used by high risk targets like journalists, human rights activists, and government officials. Google has been issuing hardware keys to its employees since 2012 and recently highlighted the effectiveness of hardware keys with a remarkable statistic: “At Google, we have had no reported or confirmed account takeovers due to password phishing since we began requiring security keys as a second factor for our employees.”

Each key costs about $50. You have to buy two and set up both of them, then leave one in a safe place where it won’t get lost. If you only buy one and you lose it, you’ll be locked out of your account. That’s the point.

I’ve started using a YubiKey whenever possible. I have to tap it to my phone to open LastPass. I have to insert it into a USB port on my computer to log into my Google account.

It’s inconvenient. No getting around it. If I don’t have the key nearby, I can’t log in.

It’s safe.

 


What a pain! Is there something that makes this easier?

Some services (including LastPass and Google) allow you to check a box for the service to trust the device that you’re using at that moment – perhaps permanently, perhaps for two weeks or a month. You still have to supply a password but you won’t be asked for the other factor – the code, the hardware key – because you’re using something that you trust and that is secure. If someone steals your phone, they can’t unlock it because they don’t have your fingerprint or your face, so it’s reasonable to decide that you don’t want the hassle of holding up a YubiKey every time you want to open LastPass on that phone. If someone steals your laptop but they don’t know your login password, they can’t get to Chrome and your Google account, so you might want to make the laptop a trusted device so you can stay logged into your Google account.

The effect is that the inconvenience is minimized day to day but you still get increased protection. The extra step will still be required if you or anyone else tries to sign into your account from another computer.

 


When should you use two factor authentication?

Start with adding two factor authentication to LastPass. If you’re using LastPass properly, it has the keys to everything important in your life and deserves very high security.

Your Google account should be protected by two factor authentication. Google has information that could compromise your privacy and your security. Your Google account might be linked to other services. Google might have passwords, files, or mail in addition to all of its personal information about you.

If you use an online service to store confidential files – Dropbox, Box, OneDrive, Google Drive – then two factor authentication increases the security of those files. This is especially important if you have an obligation to protect your client documents. Lawyers and CPAs, for example, should be taking extra steps to make sure online files are secure.

Obviously, anything to do with financial services deserves the extra security of two factor authentication – banks, QuickBooks Online, or Paypal, for example.

Facebook strongly encourages use of two factor authentication. It’s especially important if your Facebook account is linked to other services.

Microsoft supports two factor authentication for its business Office 365 services, particularly important for larger businesses that use a wide variety of Microsoft business services.

Once you get in the habit, it’s easy to use two factor authentication and you may want to enable it whenever its available. I use Google Authenticator on my phone dozens of times a day as I go in and out of services that might affect my clients. Perhaps you should too.